APPLIED [OEM-5.17, OEM-6.0] Re: [SRU Focal/Jammy/OEM-5.17/Kinetic/OEM-6.0/Lunar 0/2] CVE-2023-3611
Timo Aaltonen
tjaalton at ubuntu.com
Fri Aug 4 10:08:44 UTC 2023
Cengiz Can kirjoitti 28.7.2023 klo 2.22:
> [Impact]
> An out-of-bounds write vulnerability in the Linux kernel's net/sched: sch_qfq
> component can be exploited to achieve local privilege escalation. The
> qfq_change_agg() function in net/sched/sch_qfq.c allows an out-of-bounds write
> because lmax is updated according to packet sizes without bounds checks. We
> recommend upgrading past commit 3e337087c3b5805fe0b8a46ba622a962880b5d64.
>
> [Fix]
> On older kernels, the prerequisite commit cannot be cherry-picked cleanly.
>
> With those, I decided to introduce the limiting constant inside the fixing
> commit, and those commits are marked as backports.
>
> [Test case]
> Each kernel was tested with the publicly shared reproducer.
>
> Before the fix, all of our kernels (except Focal) was crashing with the
> reproducer.
>
> After the fix, some kernels (Kinetic, OEM-5.17 and Lunar) do not crash but the
> reproducer fills up buffer space of `ping` command. This doesn't affect the
> regular function of `ping` but should be investigated in the future.
>
> [Potential regression]
> All users that create traffic control rules using `tc` command might be
> affected.
>
> Pedro Tammela (2):
> net/sched: sch_qfq: refactor parsing of netlink parameters
> net/sched: sch_qfq: account for stab overhead in qfq_enqueue
>
> net/sched/sch_qfq.c | 32 +++++++++++++++++---------------
> 1 file changed, 17 insertions(+), 15 deletions(-)
>
applied to oem-5.17, -6.0, thanks
--
t
More information about the kernel-team
mailing list